Office (OLE) / .XLS malware analysis — malicious · 3d499f9e24258eac

MALICIOUS

Office (OLE) / .XLS

2.02 MB Created: 2008-11-12 07:15:42 Authoring application: Microsoft Excel

MD5: 2aebbc1317955fba151dd07c7a776434 SHA-1: 2b60efd9d3dae1603cce1139e5d065ede974be43 SHA-256: 3d499f9e24258eacf275038956f0db2765ef28a5dc2122417618a572d333683d

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is an Excel XLS file containing legacy Excel 4.0 (XLM) macros, specifically identified as a formula macro virus. The heuristics indicate the presence of 'Poppy by VicodinES' and 'The Narkotic Network', suggesting a known, albeit old, malware lineage. The macros are designed to infect other workbooks and save them as 'Book1.xls' in the 'xlstart' directory, indicating an attempt at propagation and persistence. The document body contains what appears to be a garbled service report, likely a lure.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.